参考网址:

https://www.cnblogs.com/reboot51/p/8328720.html
https://www.elastic.co/guide/en/x-pack/5.6/actions-email.html #邮件设置

elasticsearch 配置

xpack.notification.email.account:
    exchange_account:
        profile: outlook
        email_defaults:
            from: [email protected]
        smtp:
            auth: true
            starttls.enable: false
            host: smtpdm.aliyun.com
            port: 25
            user: [email protected]
            password: hkxxx2016

watcher 配置

1.syslog 数量监控

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "syslog-*"
        ],
        "types": [],
        "body": {
          "size": 0,
          "query": {
            "range": {
              "@timestamp": {
                "gt": "now-1m"
              }
            }
          },
          "sort": [
            {
              "@timestamp": {
                "order": "desc"
              }
            }
          ]
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 10
      }
    }
  },
  "actions": {
    "email": {
      "throttle_period_in_millis": 60000,
      "email": {
        "profile": "outlook",
        "priority": "high",
        "to": [
          "[email protected]"
        ],
        "subject": "syslog 产生{{ctx.payload.hits.total}}条记录 ",
        "body": {
          "html": "

syslog索引 一分钟内产生{{ctx.payload.hits.total}}条记录,请注意查看

" } } } } }

2.elastic 状态报警

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "http": {
      "request": {
        "scheme": "http",
        "host": "10.25.234.176",
        "port": 9200,
        "method": "get",
        "path": "/_cluster/health",
        "params": {},
        "headers": {}
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.status": {
        "not_eq": "green"
      }
    }
  },
  "actions": {
    "email": {
      "throttle_period_in_millis": 60000,
      "email": {
        "profile": "outlook",
        "priority": "high",
        "to": [
          "[email protected]"
        ],
        "subject": "elasticsearch状态为{{ctx.payload.status}},注意查看",
        "body": {
          "html": "

elasticsearch状态为{{ctx.payload.status}},注意查看!

" } } } } }

3.延时报警

{
  "trigger": {
    "schedule": {
      "cron": "0/30 * 1-6 ? * 2-6"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "simulation_adjust_job*"
        ],
        "types": [],
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "query": "task_accumulative_time_consuming:>3000"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gt": "now-30s"
                    }
                  }
                }
              ]
            }
          },
          "sort": [
            {
              "@timestamp": {
                "order": "desc"
              }
            }
          ]
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 3
      }
    }
  },
  "actions": {
    "email": {
      "throttle_period_in_millis": 60000,
      "email": {
        "profile": "outlook",
        "priority": "high",
        "to": [
          "[email protected]"
        ],
        "subject": "【严重】模拟交易成交时间",
        "body": {
          "html": "

30s内成交时间超过3秒的有{{ctx.payload.hits.total}}条记录,请注意查看!

" } } } } }